From 5d4f4c747ab14201153347775ccf531b1318bc26 Mon Sep 17 00:00:00 2001 From: xantabdoc <67368298+xantabdoc@users.noreply.github.com> Date: Thu, 14 Oct 2021 19:46:18 +0700 Subject: [PATCH 1/6] [MM-223] Fixing Post Permissions Access --- server/http.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/server/http.go b/server/http.go index 01bf882e..4ec06351 100644 --- a/server/http.go +++ b/server/http.go @@ -303,6 +303,10 @@ func (p *Plugin) postMeeting(creator *model.User, meetingID int, channelID strin topic = defaultMeetingTopic } + if !p.API.HasPermissionToChannel(creator.Id, channelID, model.PERMISSION_CREATE_POST){ + return errors.New("this channel is not accessible, you might not have permissions to write in this channel. Contact the administrator of this channel to find out if you have access permissions") + } + slackAttachment := model.SlackAttachment{ Fallback: fmt.Sprintf("Video Meeting started at [%d](%s).\n\n[Join Meeting](%s)", meetingID, meetingURL, meetingURL), Title: topic, From caace5dacb5453b7e09013b03f62a2dd75916a93 Mon Sep 17 00:00:00 2001 From: Kitty Date: Sat, 23 Oct 2021 15:20:00 +0700 Subject: [PATCH 2/6] Fixing CircleCI Test (#223) --- server/plugin_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/server/plugin_test.go b/server/plugin_test.go index 4caa7187..0219a347 100644 --- a/server/plugin_test.go +++ b/server/plugin_test.go @@ -88,6 +88,8 @@ func TestPlugin(t *testing.T) { Email: "theuseremail", }, nil) + api.On("HasPermissionToChannel", "theuserid", "thechannelid", model.PERMISSION_CREATE_POST).Return(true) + api.On("GetChannelMember", "thechannelid", "theuserid").Return(&model.ChannelMember{}, nil) api.On("GetPost", "thepostid").Return(&model.Post{Props: map[string]interface{}{}}, nil) From 3f1a743b3f8c41f0f3c9fc538818285c3f8d3d82 Mon Sep 17 00:00:00 2001 From: Kitty Date: Mon, 25 Oct 2021 11:46:35 +0700 Subject: [PATCH 3/6] Fixing CircleCI Test (#223) --- server/http.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/http.go b/server/http.go index 4ec06351..a37943f4 100644 --- a/server/http.go +++ b/server/http.go @@ -303,7 +303,7 @@ func (p *Plugin) postMeeting(creator *model.User, meetingID int, channelID strin topic = defaultMeetingTopic } - if !p.API.HasPermissionToChannel(creator.Id, channelID, model.PERMISSION_CREATE_POST){ + if !p.API.HasPermissionToChannel(creator.Id, channelID, model.PERMISSION_CREATE_POST) { return errors.New("this channel is not accessible, you might not have permissions to write in this channel. Contact the administrator of this channel to find out if you have access permissions") } From 88ad0afa5205c31d540233f922516cf5b92d92b1 Mon Sep 17 00:00:00 2001 From: kitty Date: Thu, 4 Nov 2021 17:49:16 +0700 Subject: [PATCH 4/6] Fixing Post Permissions Access (#223) --- server/plugin_test.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/server/plugin_test.go b/server/plugin_test.go index 0219a347..4fe334c0 100644 --- a/server/plugin_test.go +++ b/server/plugin_test.go @@ -56,26 +56,37 @@ func TestPlugin(t *testing.T) { for name, tc := range map[string]struct { Request *http.Request ExpectedStatusCode int + HasPermissionToChannel bool }{ "UnauthorizedMeetingRequest": { Request: noAuthMeetingRequest, ExpectedStatusCode: http.StatusUnauthorized, + HasPermissionToChannel: true, }, "ValidPersonalMeetingRequest": { Request: personalMeetingRequest, ExpectedStatusCode: http.StatusOK, + HasPermissionToChannel: true, }, "ValidStoppedWebhookRequest": { Request: validStoppedWebhookRequest, ExpectedStatusCode: http.StatusOK, + HasPermissionToChannel: true, }, "ValidStartedWebhookRequest": { Request: validStartedWebhookRequest, ExpectedStatusCode: http.StatusNotImplemented, + HasPermissionToChannel: true, }, "NoSecretWebhookRequest": { Request: noSecretWebhookRequest, ExpectedStatusCode: http.StatusUnauthorized, + HasPermissionToChannel: true, + }, + "UnauthorizedChannelPermissions": { + Request: personalMeetingRequest, + ExpectedStatusCode: http.StatusBadRequest, + HasPermissionToChannel: false, }, } { t.Run(name, func(t *testing.T) { @@ -88,7 +99,7 @@ func TestPlugin(t *testing.T) { Email: "theuseremail", }, nil) - api.On("HasPermissionToChannel", "theuserid", "thechannelid", model.PERMISSION_CREATE_POST).Return(true) + api.On("HasPermissionToChannel", "theuserid", "thechannelid", model.PERMISSION_CREATE_POST).Return(tc.HasPermissionToChannel) api.On("GetChannelMember", "thechannelid", "theuserid").Return(&model.ChannelMember{}, nil) From ae36c464ca766b58388a78e4d30bc44889346577 Mon Sep 17 00:00:00 2001 From: kitty Date: Thu, 4 Nov 2021 17:52:07 +0700 Subject: [PATCH 5/6] Fixing Post Permissions Access (#223) --- server/plugin_test.go | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/server/plugin_test.go b/server/plugin_test.go index 4fe334c0..b5434231 100644 --- a/server/plugin_test.go +++ b/server/plugin_test.go @@ -54,38 +54,38 @@ func TestPlugin(t *testing.T) { noSecretWebhookRequest := httptest.NewRequest("POST", "/webhook", strings.NewReader(endedPayload)) for name, tc := range map[string]struct { - Request *http.Request - ExpectedStatusCode int + Request *http.Request + ExpectedStatusCode int HasPermissionToChannel bool }{ "UnauthorizedMeetingRequest": { - Request: noAuthMeetingRequest, - ExpectedStatusCode: http.StatusUnauthorized, + Request: noAuthMeetingRequest, + ExpectedStatusCode: http.StatusUnauthorized, HasPermissionToChannel: true, }, "ValidPersonalMeetingRequest": { - Request: personalMeetingRequest, - ExpectedStatusCode: http.StatusOK, + Request: personalMeetingRequest, + ExpectedStatusCode: http.StatusOK, HasPermissionToChannel: true, }, "ValidStoppedWebhookRequest": { - Request: validStoppedWebhookRequest, - ExpectedStatusCode: http.StatusOK, + Request: validStoppedWebhookRequest, + ExpectedStatusCode: http.StatusOK, HasPermissionToChannel: true, }, "ValidStartedWebhookRequest": { - Request: validStartedWebhookRequest, - ExpectedStatusCode: http.StatusNotImplemented, + Request: validStartedWebhookRequest, + ExpectedStatusCode: http.StatusNotImplemented, HasPermissionToChannel: true, }, "NoSecretWebhookRequest": { - Request: noSecretWebhookRequest, - ExpectedStatusCode: http.StatusUnauthorized, + Request: noSecretWebhookRequest, + ExpectedStatusCode: http.StatusUnauthorized, HasPermissionToChannel: true, }, "UnauthorizedChannelPermissions": { - Request: personalMeetingRequest, - ExpectedStatusCode: http.StatusBadRequest, + Request: personalMeetingRequest, + ExpectedStatusCode: http.StatusBadRequest, HasPermissionToChannel: false, }, } { From 3b99b92efb387cfe0ca2ce61a1da1f3745946e5f Mon Sep 17 00:00:00 2001 From: kitty Date: Thu, 4 Nov 2021 18:02:29 +0700 Subject: [PATCH 6/6] Fixing Post Permissions Access (#223) --- server/plugin_test.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/server/plugin_test.go b/server/plugin_test.go index b5434231..dd302449 100644 --- a/server/plugin_test.go +++ b/server/plugin_test.go @@ -53,6 +53,9 @@ func TestPlugin(t *testing.T) { noSecretWebhookRequest := httptest.NewRequest("POST", "/webhook", strings.NewReader(endedPayload)) + unauthorizedUserRequest := httptest.NewRequest("POST", "/api/v1/meetings", strings.NewReader("{\"channel_id\": \"thechannelid\", \"personal\": true}")) + unauthorizedUserRequest.Header.Add("Mattermost-User-Id", "theuserid") + for name, tc := range map[string]struct { Request *http.Request ExpectedStatusCode int @@ -84,8 +87,8 @@ func TestPlugin(t *testing.T) { HasPermissionToChannel: true, }, "UnauthorizedChannelPermissions": { - Request: personalMeetingRequest, - ExpectedStatusCode: http.StatusBadRequest, + Request: unauthorizedUserRequest, + ExpectedStatusCode: http.StatusInternalServerError, HasPermissionToChannel: false, }, } {